In order to infect users, email disguised as a shipment notification from Fedex were mass-mailed to target victims.

This email contains a downloader Trojan which installs TSPY_SPCESEND.A.” This downloader also installs other malicious executables on affected systems including FAKEAV variants from the BestAV affiliate network and FakeHDD variants from the Yamba network. These were observed to be downloaded from compromised, legitimate websites.

Furthermore, this downloader Trojan also shares the same C&C with the TSPY_SPCESEND.A. This strongly suggests that the document-stealing sendspace Trojan is pushed by cybercriminals who are also involved in the Pay-Per-Sell (PPS) underground business.

Command and Control Server

After the malware uploads a .ZIP archive containing the victim’s documents to sendspace, it sends the sendspace download link along with a unique ID, the password for the .ZIP archive and the victim’s IP address to the command and control (C&C) server.

However, this is the first time we’re seeing malware being used to upload stolen data to the file hosting and transfer site.

In this attack, the infection starts off with a malicious file, Fedex_Invoice.exe, detected as TROJ_DOFOIL.GE. The file name used for this particular malware suggests that it is being used for a spam campaign, specifically one that uses messages disguised as a FedEx shipment notification. We are currently trying to find a sample of the mentioned spammed message.

TSPY_SPCESEND.A is a “grab and go” Trojan that searches the local drive of an affected system for MS Word and Excel files. The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder. Here’s an example of an archive of collected documents:

After creating the archive, TSPY_SPCESEND.A sends it to Sendspace.com:

The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.

In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html. This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA.

HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body. Below is a screenshot of HTML_EXPLT.QYUA’s code. Notice the highlighted parts where it calls the MIDI and JavaScript components:

Upon successfully exploiting the vulnerability, it decodes and executes the decoded shellcode. This shellcode then connects to a site to download an encrypted binary:

This binary is then decrypted and executed as a malware detected as TROJ_DLOAD.QYUA. We’re still conducting further analysis on TROJ_DLOAD.QYUA, but so far we’ve been seeing some serious payload, including rootkit capabilities.

Meanwhile, as the routines stated above happens in the background, the affected users remains unsuspecting and sees the following:

In this post, we will reorient readers on the infection chain of such an attack to help them understand why basic mitigation practices are still effective and can help them protect themselves from today’s threats.

In a typical spam campaign that involves malware, cybercriminals lure users through social engineering to perform several actions before the intended payload gets executed. For example, a user needs to download, extract, and execute a supposedly “benign” file for a spam attack to succeed.

Spam campaigns that use exploit kits, however, are a bit more dangerous since these only need to lure the users into clicking a malicious link for the rest of the infection to take place.

Below is an example of this type of spam supposedly from the National Automated Clearing House Association (NACHA). NACHA manages the ACH network, which facilitates bulk payment transactions involving businesses, governments, and consumers. Users who are more likely to receive email from NACHA conduct transactions related to payroll, government benefits, tax refunds, and others.